When companies sell goods online, they go about it in one of two ways. The first is they set up their own password protection system. The second, used far more often, is where they outsource it to a company that specializes in password and encryption systems. To do that, explains researchers at the Electronic Frontier Foundation, all of the information involved in the transaction much be encrypted, which means its converted from its normal format, to one that can’t be recognized by someone else. Thus, if an intruder gains access to account information, it would appear as gobbly-gook. That is, unless they can gain access to the login name and password. And that is at the heart of recent security breach EFF has found that could have worldwide implications for online vendors. They have found that the encryption code used by the majority of online encryption vendors is just 99.8% secure, which means according to the AFP newswire, via Inquirer Technology, that roughly two percent of the time, which means two percent of transactions, are weakly encrypted to the extent that an intruder could conceivably decrypt the account information.
Most people are familiar with the typical login and password associated with entry to banking, credit cards and even PayPal accounts. For most of those systems, users are able to create their own login and passwords so that they will be easy to remember. But, to make sure those logins and passwords remain secure, the encryption company generates a separate password that is both unique to the account and encrypted itself so that hackers can’t gain access to it. The problem is, in two percent of cases, the password which is randomly generated each time a user tries to access an account, isn’t strong, which means it could conceivably be something as simple as 123456789, a very easy to crack password. Thus, if a hacker manages to crack the encrypted password, they would be able to gain access to the login and password that the user typed when trying to access the system, which means they could gain access not just that one time, but anytime they wish since the system would forever after recognize them as a legitimate account holder; or at least until the user decides to change their password, which rarely happens.
EEF discovered this flaw just recently and is announcing the flaw in the hope that security systems companies will take action to change their random generators to reduce the number of weak passwords to near zero, thus protecting consumers.